Keeping it simple, HTTPS is a combination of the HTTP and SSL/TLS protocols, which provides encryption while authenticating the server. The main idea is to create a secure channel over an insecure network, ensuring "reasonable" protection from eavesdroppers and man-in-the-middle attacks.

HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. If your SSL certificate is not signed by one of these CA's, the browser will display a warning:

TurnKey appliances generate self signed certificates on first boot to provide an encrypted traffic channel, but because the certificates are not signed by a trusted CA, the warning is displayed. In most cases, this is acceptable. If it's not, go get a signed certificate.

Authoritatively signed certificates

Cost

Authoritatively signed certificates can be costly, for example, Verisign (the most well known CA) charges $1,499 per year for their recommended certificate. There are cheap alternatives (I recently purchased a certificate from Go Daddy for $12.99) as well as a couple of free providers.

Generate key and CSR

First up is to create a certificate key and a certificate signing request (CSR). This can be done with OpenSSL.

Submit the CSR

The above will generate two files, www_example_com.key and www_example.com.csr.

Once you have signed up for an authoritatively signed certificate, you will be requested to upload the CSR file or its contents.

Verify the request

The signing authority will need to verify the validity of the request and that it was submitted by the entity to which the domain in the request is registered, usually done by contacting the administrative contact for the domain.

Further steps may be required when requesting an Extended Validation (EV) certificate, which color the address bar green in recent browsers.

Download signed certificate

After validation, your signed certificate (crt) will be available for download. Most likely your signing authority will include an intermediate CA certificate bundle (trust chain).

If you are using an SSL certificate for testing, http://www.startssl.org/ offers free certificates that are authorititavely signed. You have to pay for certs that you use for e-commerce and secure transactions, but for testing, their free certs work very well.

I'm not clear on how to update the apache configuration file. Which file do I edit? and how do I edit it? I'm assuming that I would need to modify the:/etc/apache2/sites-available/default file is that right? If so, then how/what do I replace it in the file.

Anyone can help configuring an ssl certificate for a virtual host? I made all the configuration folowing those instructions and my virtual host keeps me providing me the selfsigned certificate from turnkey, even if a configure a dedicate ip address for tha site. Any ideas?

To answer your question at the end: Do you use an authoritatively signed certificate? Is self-signed sufficient?

I tend to use the SSL Generated Certs for Webmin, WebShell and PHPMyAdmin. If I need SSL for a Public site I have been finding $10 certs recently on Comodo and getting irritated when they try to renew for $50.. I think I found a good alternative that seems more "ong term in it price offering just now at:

They have good pricing on Domain Registrations as well though I like Tucows for that.

1 and 2 year SSL certs for less than $10 a year (even 3 years if you want to avoid the hassle).

That was the Hard Work. The next part was just refresh/repeat from previous cert installs.

Run the process outlined in the great blog post above to generate the CSR (Certificate Signing Request).. For me this is easiest in Webmin because I can Copy Paste then edit before submitting look in your root directory to find it, then move it with the the Certs you are Generating to etc/ssl/private (or a folder of your choice).

Generally you need to take 2 Certs (the primary cert and the intermediate cert and copy them into new files --

In Apache - Go to Edit Directives under your 443 Port. The following is my general format calling out .cert (or .crt) .key and intermediate.cert :

In fact I am here posting because I needed to get the script again to generate a CSR and it was about as easy a SSL install as I have done... Templates are the key... and avoid Comodo's Bait and Switch. GeoTrust seems, to me anyway, the more reputable SSL provider.

I think the cheapest out there is StartSSL which gives you the first year free and charges you A LOT in the 2nd year...

Godaddy is reasonable but has bad customer service and is a hassle to install.

I would recommend SSL.com certificate because of their customer service and affordable rates. Go for the FREE 90 days trial first and test them out. Then, get their cheapest certificate (DV) every year. Worth it, especially when you go through the process of actually installing the certificate.

The only part I did forget was to install the intermediate certificate - and so got an error message in Thunderbird. After adding the follwoing line in Postfix the problem was solved and now the SSL certificate is working smoothly (even on my Samsung android mail app):

I purchased a UCC certificate and have it running on three domains on a LAMP server on port 443. That part works fine. One of the server names corresponds to the Webmin installation I have on the machine. How do I configure port 12321 (or 8080 in my case, I changed it) to use the SSL certificate? I tried adding:

<VirtualHost *:8080>

ServerName manager.mydomain.com

DocumentRoot /var/www/

SSLEngine on

SSLCertificateFile /etc/ssl/certs/cert.pem

SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt

</VirtualHost>

to a site-available .conf file, but I still get the scary error message. Any suggestions?

I am trying to install a Godaddy cert and I am having issues with mobile browsers reporting the certificate is not trusted. I believe this is due to the Intermediate certificate. I make most of the changes through the webmin interface. For Virtual Host on port 443 I have SSL on with the cert and certificate authorities file fields filled in with paths to the files - cert.pem and bundle.crt. When I apply/stop/start apache these directives are updated in the global config.

I am getting the following messages after I paste my CRT and KEY in the Webmin > SSL Encrytion > Upload Certificate ... Questions: What can I do to revert back to the default? I dont want to reinstall all the time.

I have done this on 3 fresh installs and after a reboot Apachee will not restart

Is there a way to "reset" (aka back to normal) so that it can just use the default certificates

Is Webmin the problem? Do I have to use the command line to edit Apachee2 conf files?

I have never used Webmin to fill in cert and key, specifically, so I don't know the situation specifically you have, but my feeling is that you don't need a customized cert for webmin or webshell. You are the only one normally logging in and you can always accept the self-signed or built in cert.

Where you want a custom cert is on the outward pointing system/web site etc. Above I noted how I normally install a cert in the post titled "My 2 Step and 2 Bits on SSL Certs" . Specifically there you need to get your key, cert, and trusted authority certs all be installed. I do that through Webmin, but functionally as a series of "text edits" in the APACHE SERVER SETUP in Webmin - or directly in Webshell.

When you do this the cert will move forward with TKLBAM backups and restores and you will only have to update the setup when your certificate (or certificates) expire.

Hope this helps - again, see the post above titled. You are Setting these settings within APACHE in Webmin normally as opposed to the whole install.

As an iOS developer, I own a number of trusted certificates by Apple, including those conencted to remote notifications. Is it possibile to use them in the Apache https configuration to get rid of the warning on web sites, and how to do it?

Yes! Its possible to get ride of those security warning on web sites by making certain modification on Apache HTTPS Configuration, but in order to do that you must have SSL certificate from trusted CA!

I have drafted tutoril on this but its all about Apple Mac OS X Server! I wish, It could help you and guide you!

Initially I thought your thread hijack was somewhat legitimate (I thought you were referring to using an Apple provided cert on a TurnKey appliance). But now we're totally off topic talking about OSX servers and CentOS. These are the TurnKey Linux (Debian based software appliances) forums. Please take your discussion somewhere more appropriate. At least have the courtesy to start your own thread rather than hijacking someone else's and taking it completely off topic...

I did not note when I went off-topic. I still need a trusted certificate for my centOS Apache server to get rid of the warning, and I wondered whether I could use the ones I already use for my Apple remote notifications.

Locally (at home) the https works like a charm, but when accessing my cloud from an external network on the web interface mainly. Upon first login through https works fine, logging out and login again. The page does not load, like it loses connection, but testing on different network it's works again, but does the exact same with login/logout, page not load

disabled enforce https, all is fine, logged in and logged out multiple times, no issue